CVE-2023-45278
📋 TL;DR
This CVE describes a directory traversal vulnerability in Yamcs 5.8.6's API storage functionality that allows attackers to delete arbitrary files on the server via crafted HTTP DELETE requests. Organizations running vulnerable Yamcs instances are affected, particularly those with internet-facing deployments or insufficient access controls.
💻 Affected Systems
- Yamcs
📦 What is this software?
Yamcs by Spaceapplications
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, configuration files, or application data leading to service disruption, data loss, or privilege escalation.
Likely Case
Unauthorized deletion of application files, configuration files, or user data causing service disruption, data loss, and potential business impact.
If Mitigated
Limited impact with proper file permissions, network segmentation, and access controls preventing exploitation or containing damage.
🎯 Exploit Status
The vulnerability requires sending crafted HTTP DELETE requests to the vulnerable endpoint. No authentication bypass is mentioned, suggesting the endpoint might be accessible without proper authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.7
Vendor Advisory: https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7
Restart Required: Yes
Instructions:
1. Backup your Yamcs configuration and data. 2. Upgrade to Yamcs 5.8.7 or later. 3. Restart the Yamcs service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Restrict API Access
linuxBlock or restrict access to the vulnerable API endpoint using network controls or web application firewalls.
iptables -A INPUT -p tcp --dport <yamcs_port> -m string --string "DELETE /api/storage" --algo bm -j DROP
Implement File Permissions
linuxSet strict file permissions on critical directories to prevent deletion even if the vulnerability is exploited.
chmod 755 /path/to/yamcs/data
chown root:root /path/to/yamcs/data
🧯 If You Can't Patch
- Implement network segmentation to isolate Yamcs instances from critical systems.
- Deploy a web application firewall (WAF) with rules to detect and block directory traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Check if running Yamcs version 5.8.6 or earlier and if the API storage endpoint is accessible.Check Version:
yamcs --version or check the Yamcs web interface version info.Verify Fix Applied:
After patching, attempt to exploit the vulnerability with a test DELETE request to confirm it's blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP DELETE requests to /api/storage/* with directory traversal patterns (e.g., ../)
- File deletion events in system logs
Network Indicators:
- Unusual DELETE request patterns to Yamcs API endpoints
- Traffic spikes to storage endpoints
SIEM Query:
source="yamcs.log" AND "DELETE" AND "/api/storage" AND (".." OR "%2e%2e")🔗 References
- https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7
- https://www.linkedin.com/pulse/yamcs-vulnerability-assessment-visionspace-technologies
- https://github.com/yamcs/yamcs/compare/yamcs-5.8.6...yamcs-5.8.7
- https://www.linkedin.com/pulse/yamcs-vulnerability-assessment-visionspace-technologies
